Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of claims in the 
apphcation: 

1 ) (Currently Amended) A method for determining compliance with 
organizational business poHcies associated with a business risk of managing risk with th e 
aid of a comput e r system , said method comprising: 

a. thea computer receiving a user selection of business risk elements, 
said business risk elements being retrieved from a database 
coupled to said computer; 

b. for each business risk element, the computer retrieving one or 
more predetermined control procedures, the control procedure sfd] 
identified by an administrator as a means for complying with 
business policies associated with mitigating said business risk 
element by r e ducing th e lik e lihood that th e risk will occur ; 

c. the computer associating said one or more predetermined control 
procedures with said business risk element, said predetermined 
control procedures being stored in said database; 

d. the computer retrieving a weight assigned to each one of said 
predetermined control procedures, said weight being stored in said 
database; 

e. the computer receiving a user selection of a compliance rating for 
each said predetermined control procedure, the rating selected by 
the user indicating a level of compliance with each one of said 
predetermined control procedures , for each of said predetermined 
control procedures the level of compliance is selected from a rigid 
set of compliance ratings, the same set of compliance ratings is 
available for each of said predetermined control procedures ; and 

f the computer calculating a compliance score, said compliance 
score being a function of said assigned weights and said 
compliance rating of said predetermined control procedures. 
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2) (Previously Amended) The method of claim 1, wherein said compliance 
ratings comprise at least one rating identifying a non- fully compliant control procedure, 
said method further comprising the steps of: 

a. for each said control procedure having a non-fuUy compliant 
rating, the computer receiving a user generated signal indicating 
whether said non-fully compliant rating is accepted or not 
accepted; and 

b. for each said non-fully compliant control procedure which is 
indicated as not accepted, requiring the user to provide signals for 
generating an action plan. 

3) (Previously Amended) The method of claim 2 wherein said action plan 

include a target date, said method further comprising the step of the computer calculating 
an expected compliance score for one or more future dates based on said action plan 
target dates. 

4) (Previously Amended) The method of claim 3 further comprising the 
step of the computer tracking whether said expected compliance scores have been met, 
said tracking including calculating actual compliance scores for said target dates. 

5) (Previously Amended) The method of claim 4 further comprising the 
step of the computer displaying said expected compliance scores versus said actual 
compliance for said target dates. 

6) (Previously Amended) The method of claim 1 further comprising the 
step of the computer associating one or more parameters with each said compliance 
rating. 

7) (Original) The method of claim 6 wherein said one or more parameters 
are selected from the group comprising organization, business line, process, and region. 

8) (Previously Amended) The method of claim 6 further comprising the 
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step of the computer sorting said compliance scores by said one or more parameters. 

9) (Previously Amended) The method of claim 8 further comprising the 
step of the computer displaying said sorted compliance scores. 

1 0) (Currently Amended) A method for determining comphance with 
organizational business policies associated with a business risk of managing risk with th e 
aid of a comput e r syst e m , said method comprising: 

a. thea computer receiving a user selection of a business risk 
element[s], said risk element[s] being retrieved from a database 
coupled to said computer; 

b. the computer identifying one or more subrisk elements associated 
with [each] said business risk element, each said subrisk element 
being retrieved from said database; 

c. for at least one subrisk element, the computer retrieving one or 
more predetermined control procedures, the control procedures[d] 
identified by an administrator as a means for complying with 
business policies associated with mitigating said subrisk element 
by r e ducing th e lik e lihood that th e risk will occur ; 

d. the computer associating said one or more control procediu"es with 
said subrisk element, said control procedures being stored in said 
database; 

[d] e. the computer retrieving a weight assigned to each one of said 

predetermined control procedures, said weight being stored in said 
database; 

[e] f. the computer receiving a user selection of a compliance rating for 
each said predetermined control procedure, each said compliance rating[s] 
selected from a rigid predetermined set of compliance ratings, the same set 
of compliance ratings is available for each of said predetermined control 
procedures including a plurality of cat e gori e s including at least one 
[category] rating indicating said control procedure is not fully compliant; 
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[fjg. the computer calculating a compliance score, said compliance 
score being a function of said assigned weights and said compliance rating 
of said control procedures; 

[g] h. for each said subrisk, the computer determining whether at least 
one control procedure associated with said subrisk is not fully compliant; 

[h] i. for each said subrisk associated with at least one control procedure 
which is not fully compliant, the computer receiving a signal from the user 
indicating whether said subrisk should be accepted or not accepted; and 
[I]]. for each said subrisk which is indicated as not accepted, the 
computer generating an action plan. 

1 1) (Previously Amended) The method of claim 10 wherein said action plan 
further includes a target date, said method further comprising the step of the 
computer calculating a future compliance score based on said action plan target 
dates. 

12) (Previously Amended) The method of claim 10 further comprising the 
step of the computer associating one or more parameters with each said 
compliance rating. 

13) (Previously Amended) The method of claim 12 further comprising the 
step of the computer sorting said compliance ratings and displaying said sorted 
ratings. 

14) (Previously Amended) A method of forecasting compliance with 
organizational business policies associated with a business risk with the aid of a 
computer system, said method comprising: 

a. the computer identifying a set of business risk elements, said 
business risk elements being stored in a database coupled to said 
computer; 

b. for at least one business risk element, the computer retrieving one 
or more predetermined control procedures, the control 
procedures[d] identified by an administrator as a means for 
complying with business policies associated with mitigating said 
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business risk element by r e ducing the lik e lihood that th e risk will 
occur ; 

c. the computer[,] associating said one or more control procedures 
with said business risk element, said control procedures being 
stored in said database; 

d. the computer retrieving a weight assigned to each one of said 
predetermined control procedures, said weight being stored in said 
database; 

e. the computer receiving a user selection of a compliance rating for 
each said predetermined control procedure, said compliance ratings 
chosen from a predetermined rigid set of ratings over a uniform 
range, the same set of compliance ratings is available for each of 
said predetermined control procedures, including at least one rating 
identifying a non- fully compliant control procedure and at least 
one rating identifying fully compUant control procedures; 

f for each said control procedure having a non- fully compliant 

rating, the user employing the computer to generate an action plan, 
said action plan including a target date for at least one action listed 
therein; and 

g. the computer calculating an expected compliance score for a future 
date, said expected compliance score being a function of said 
assigned weights, said fully compliant control procedures, and said 
action plan target dates for said non-fuUy compliant control 
procedures. 

15) (Original) The method of claim 14 wherein said action plan comprises a 
signal indicating whether said non-fiiUy compliant rating is accepted or not accepted, said 
expected compliance score further being a function of said non- fully compliant ratings 
which have been accepted. 

16) (Currently Amended) A data processing system fo r determining 
comphance with organizational business policies associated with a business managing 
risk, said system comprising: 
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a. a database; 

b. a processor coupled to said database, said processor being 
programmed to perform the steps comprising: 

i. the computer receiving a first signal identifying a user selection of 
a set of business risk elements, said business risk elements being 
stored in said database; 

ii. the computer receiving a second signal identifying a user selection 
of one or more control procedures associated with each said 
business risk element, said control procedure comprising a means 
for complying with business policies associated with to mitigat e 
said risk element, said control procedures being stored in said 
database; 

iii. the computer receiving a third signal assigning a weight to each 
said control procedure, said weight being stored said database; 

iv. the computer receiving a fourth signal identifying a user selection 
of a compliance rating for each said control procedure , for each of 
said predetermined control procedures the compliance rating is 
selected from a rigid set of compHance ratings, the same set of 
compliance ratings is available for each of said predetermined 
control procedures : and 

v. the computer calculating a compliance score, said compliance 
score being a function of said assigned weights and said 
compliance rating of said control procedures, 

17) (Previously Amended) The data processing system of claim 16, wherein 
said compliance ratings comprise at least one rating identifying a non-fuUy compliant 
control procedure, said processor being further programmed to perform the steps 
comprising: 

a. for each said control procedure having a non-fuUy compliant 
rating, the computer receiving a signal indicating whether said 
non-fliUy compliant rating is accepted or not accepted; 
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b. for each said non- fully compliant control procedure which is 
indicated as not accepted, the computer receiving an action plan, 
said action plan including an expected target date for 
implementation and an expected compliance rating; and 

c. the computer generating one or more future expected compliance 
scores, said compliance scores being a function of said target dates, 
said assigned weights and said expected compliance rating of said 
control procedures. 

18) (Original) The data processing system of claim 16 further comprising a 
computer display coupled to said processor, said processor further being programmed to 
display said compliance scores on said computer display. 
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